Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 9

SEM\LEM not showing all events

Jump to solution

Why does LEM nDepth only show 20 events, console show 80k and Cisco show 31k

For the past day I've been struggling with why the events leaving my Cisco switches haven't all shown on LEM. At first I thought it was the Cisco devices not sending the data correctly, here is that config

Logging trap debug

logging fac local2

logging host myserverip trans tcp port 514

debug spanning all (Just to generate events)

Show logging

Trap logging: level debugging, 31009 message lines logged

        Logging to myserverip  (tcp port 514, audit disabled,

              link up),

              25601 message lines logged,

              0 message lines rate-limited,

              0 message lines dropped-by-MD,

              xml disabled, sequence number disabled

              filtering disabled

        Logging Source-Interface:       VRF Name:

But then I discovered the SEM console and the "Checklogs" command. Here is that output

        [1]: Syslog Log (260K)

        [2]: SNMP Trap Log (Empty)

        [3]: Snort Alert Log (Empty)

        [4]: Auth Log (Empty)

        [5]: Daemon Log (Empty)

        [6]: User Log (Empty)

        [7]: Rawsearch Log (Empty)

        [8]: Database Log (Empty)

        [9]: Manager Configuration Log (176K)

        [10]: Kernel Log (Empty)

        [11]: Migration log (Empty)

        [12]: Syslog local0 Log (Empty)

        [13]: Syslog local1 Log (Empty)

        [14]: Syslog local2 Log (80K)

        [15]: Syslog local3 Log (Empty)

        [16]: Syslog local4 Log (Empty)

        [17]: Syslog local5 Log (Empty)

        [18]: Syslog local6 Log (Empty)

        [19]: Syslog local7 Log (Empty)

        [20]: Cron Log (Empty)

        [21]: FTP Log (Empty)

        [22]: Printer Log (Empty)

        [23]: Mail Log (Empty)

        [24]: News Log (Empty)

        [25]: Unix-to-Unix Copy Log (Empty)

I can imagine the difference between Cisco and LEM because I have recreated this trap several times trying to get it to work, so 31k to 80k, yeah I can see that but 80,000 to 20? something isn't right

Going to ops center then opening my Cisco node, changing to the last week I only see where users log in or out but none of the STP messages I had generated with the "debug spanning all". What am I missing?

0 Kudos
1 Solution

At the end of the day those connector tools are just a big list of regex rules that parse the incoming event and decide what type of event they are and break out all the parts of the message for normalization.  I've felt hackish before and exported mine out and imported back in a modified version as a new connector profile, but obviously that kind of thing is unsupported.

- Marc Netterfield, Github

View solution in original post

14 Replies